<!DOCTYPE html><html lang="zh-CN" data-theme="light"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width,initial-scale=1"><title>信息系统安全实训第四天 | 路漫漫其修远兮，吾将上下而求索</title><meta name="keywords" content="上课笔记,网络攻防"><meta name="author" content="Charles Yan"><meta name="copyright" content="Charles Yan"><meta name="format-detection" content="telephone=no"><meta name="theme-color" content="#ffffff"><meta name="description" content="1.文件上传漏洞2.xss漏洞3.命令执行漏洞">
<meta property="og:type" content="article">
<meta property="og:title" content="信息系统安全实训第四天">
<meta property="og:url" content="https://www.charlesyan.cn/2021/06/24/%E4%BF%A1%E6%81%AF%E7%B3%BB%E7%BB%9F%E5%AE%89%E5%85%A8%E5%AE%9E%E8%AE%AD%E7%AC%AC%E5%9B%9B%E5%A4%A9/index.html">
<meta property="og:site_name" content="路漫漫其修远兮，吾将上下而求索">
<meta property="og:description" content="1.文件上传漏洞2.xss漏洞3.命令执行漏洞">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://gitee.com/yan_zilong/picgo/raw/master/img/Blog/post/密码学复习提纲/3989.jpg">
<meta property="article:published_time" content="2021-06-24T15:13:39.255Z">
<meta property="article:modified_time" content="2021-07-05T01:17:13.810Z">
<meta property="article:author" content="Charles Yan">
<meta property="article:tag" content="上课笔记">
<meta property="article:tag" content="网络攻防">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://gitee.com/yan_zilong/picgo/raw/master/img/Blog/post/密码学复习提纲/3989.jpg"><link rel="shortcut icon" href="/img/favicon.ico"><link rel="canonical" href="https://www.charlesyan.cn/2021/06/24/%E4%BF%A1%E6%81%AF%E7%B3%BB%E7%BB%9F%E5%AE%89%E5%85%A8%E5%AE%9E%E8%AE%AD%E7%AC%AC%E5%9B%9B%E5%A4%A9/"><link rel="preconnect" href="//cdn.jsdelivr.net"/><link rel="preconnect" href="//busuanzi.ibruce.info"/><link rel="stylesheet" href="/css/index.css"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free/css/all.min.css" media="print" onload="this.media='all'"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/node-snackbar/dist/snackbar.min.css" media="print" onload="this.media='all'"><script>const GLOBAL_CONFIG = { 
  root: '/',
  algolia: undefined,
  localSearch: {"path":"search.xml","languages":{"hits_empty":"找不到您查询的内容：${query}"}},
  translate: {"defaultEncoding":2,"translateDelay":0,"msgToTraditionalChinese":"繁","msgToSimplifiedChinese":"简"},
  noticeOutdate: undefined,
  highlight: {"plugin":"highlighjs","highlightCopy":true,"highlightLang":true,"highlightHeightLimit":false},
  copy: {
    success: '复制成功',
    error: '复制错误',
    noSupport: '浏览器不支持'
  },
  relativeDate: {
    homepage: true,
    post: false
  },
  runtime: '天',
  date_suffix: {
    just: '刚刚',
    min: '分钟前',
    hour: '小时前',
    day: '天前',
    month: '个月前'
  },
  copyright: undefined,
  lightbox: 'mediumZoom',
  Snackbar: {"chs_to_cht":"你已切换为繁体","cht_to_chs":"你已切换为简体","day_to_night":"你已切换为深色模式","night_to_day":"你已切换为浅色模式","bgLight":"#49b1f5","bgDark":"#121212","position":"bottom-left"},
  source: {
    jQuery: 'https://cdn.jsdelivr.net/npm/jquery@latest/dist/jquery.min.js',
    justifiedGallery: {
      js: 'https://cdn.jsdelivr.net/npm/justifiedGallery/dist/js/jquery.justifiedGallery.min.js',
      css: 'https://cdn.jsdelivr.net/npm/justifiedGallery/dist/css/justifiedGallery.min.css'
    },
    fancybox: {
      js: 'https://cdn.jsdelivr.net/npm/@fancyapps/fancybox@latest/dist/jquery.fancybox.min.js',
      css: 'https://cdn.jsdelivr.net/npm/@fancyapps/fancybox@latest/dist/jquery.fancybox.min.css'
    }
  },
  isPhotoFigcaption: false,
  islazyload: false,
  isanchor: true
}</script><script id="config-diff">var GLOBAL_CONFIG_SITE = {
  title: '信息系统安全实训第四天',
  isPost: true,
  isHome: false,
  isHighlightShrink: false,
  isToc: true,
  postUpdate: '2021-07-05 09:17:13'
}</script><noscript><style type="text/css">
  #nav {
    opacity: 1
  }
  .justified-gallery img {
    opacity: 1
  }

  #recent-posts time,
  #post-meta time {
    display: inline !important
  }
</style></noscript><script>(win=>{
    win.saveToLocal = {
      set: function setWithExpiry(key, value, ttl) {
        if (ttl === 0) return
        const now = new Date()
        const expiryDay = ttl * 86400000
        const item = {
          value: value,
          expiry: now.getTime() + expiryDay,
        }
        localStorage.setItem(key, JSON.stringify(item))
      },

      get: function getWithExpiry(key) {
        const itemStr = localStorage.getItem(key)

        if (!itemStr) {
          return undefined
        }
        const item = JSON.parse(itemStr)
        const now = new Date()

        if (now.getTime() > item.expiry) {
          localStorage.removeItem(key)
          return undefined
        }
        return item.value
      }
    }
  
    win.getScript = url => new Promise((resolve, reject) => {
      const script = document.createElement('script')
      script.src = url
      script.async = true
      script.onerror = reject
      script.onload = script.onreadystatechange = function() {
        const loadState = this.readyState
        if (loadState && loadState !== 'loaded' && loadState !== 'complete') return
        script.onload = script.onreadystatechange = null
        resolve()
      }
      document.head.appendChild(script)
    })
  
      win.activateDarkMode = function () {
        document.documentElement.setAttribute('data-theme', 'dark')
        if (document.querySelector('meta[name="theme-color"]') !== null) {
          document.querySelector('meta[name="theme-color"]').setAttribute('content', '#0d0d0d')
        }
      }
      win.activateLightMode = function () {
        document.documentElement.setAttribute('data-theme', 'light')
        if (document.querySelector('meta[name="theme-color"]') !== null) {
          document.querySelector('meta[name="theme-color"]').setAttribute('content', '#ffffff')
        }
      }
      const t = saveToLocal.get('theme')
    
          if (t === 'dark') activateDarkMode()
          else if (t === 'light') activateLightMode()
        
      const asideStatus = saveToLocal.get('aside-status')
      if (asideStatus !== undefined) {
        if (asideStatus === 'hide') {
          document.documentElement.classList.add('hide-aside')
        } else {
          document.documentElement.classList.remove('hide-aside')
        }
      }
    
    const fontSizeVal = saveToLocal.get('global-font-size')
    if (fontSizeVal !== undefined) {
      document.documentElement.style.setProperty('--global-font-size', fontSizeVal + 'px')
    }
    })(window)</script><link rel="stylesheet" href="/css/selfdesign.css" media="defer" onload="this.media='all'"><meta name="generator" content="Hexo 5.4.0"></head><body><div id="loading-box"><div class="loading-left-bg"></div><div class="loading-right-bg"></div><div class="spinner-box"><div class="configure-border-1"><div class="configure-core"></div></div><div class="configure-border-2"><div class="configure-core"></div></div><div class="loading-word">加载中...</div></div></div><div id="web_bg"></div><div id="sidebar"><div id="menu-mask"></div><div id="sidebar-menus"><div class="author-avatar"><img class="avatar-img" src="/img/My%20avatar.jpg" onerror="onerror=null;src='/img/friend_404.gif'" alt="avatar"/></div><div class="site-data"><div class="data-item is-center"><div class="data-item-link"><a href="/archives/"><div class="headline">文章</div><div class="length-num">37</div></a></div></div><div class="data-item is-center"><div class="data-item-link"><a href="/tags/"><div class="headline">标签</div><div class="length-num">22</div></a></div></div><div class="data-item is-center"><div class="data-item-link"><a href="/categories/"><div class="headline">分类</div><div class="length-num">12</div></a></div></div></div><hr/><div class="menus_items"><div class="menus_item"><a class="site-page" href="/"><i class="fa-fw fa fa-home"></i><span> 主页</span></a></div><div class="menus_item"><a class="site-page" href="/archives/"><i class="fa-fw fa fa-archive"></i><span> 时间轴</span></a></div><div class="menus_item"><a class="site-page" href="/tags/"><i class="fa-fw fa fa-tags"></i><span> 标签</span></a></div><div class="menus_item"><a class="site-page" href="/categories/"><i class="fa-fw fa fa-folder-open"></i><span> 分类</span></a></div><div class="menus_item"><a class="site-page" href="/messageboard/"><i class="fa-fw fa fa-coffee"></i><span> 留言板</span></a></div><div class="menus_item"><a class="site-page" href="/link/"><i class="fa-fw fa fa-link"></i><span> 友情链接</span></a></div><div class="menus_item"><a class="site-page" href="/about/"><i class="fa-fw fa fa-heart"></i><span> 关于</span></a></div><div class="menus_item"><a class="site-page" href="javascript:void(0);"><i class="fa-fw fa fa-list"></i><span> 清单</span><i class="fas fa-chevron-down expand"></i></a><ul class="menus_item_child"><li><a class="site-page child" href="/music/"><i class="fa-fw fa fa-music"></i><span> 音乐</span></a></li><li><a class="site-page child" href="/movies/"><i class="fa-fw fa fa-film"></i><span> 电影</span></a></li><li><a class="site-page child" href="/Gallery/"><i class="fa-fw fas fa-images"></i><span> 照片</span></a></li></ul></div></div></div></div><div class="post" id="body-wrap"><header class="post-bg" id="page-header" style="background-image: url('https://gitee.com/yan_zilong/picgo/raw/master/img/Blog/post/密码学复习提纲/3989.jpg')"><nav id="nav"><span id="blog_name"><a id="site-name" href="/">路漫漫其修远兮，吾将上下而求索</a></span><div id="menus"><div id="search-button"><a class="site-page social-icon search"><i class="fas fa-search fa-fw"></i><span> 搜索</span></a></div><div class="menus_items"><div class="menus_item"><a class="site-page" href="/"><i class="fa-fw fa fa-home"></i><span> 主页</span></a></div><div class="menus_item"><a class="site-page" href="/archives/"><i class="fa-fw fa fa-archive"></i><span> 时间轴</span></a></div><div class="menus_item"><a class="site-page" href="/tags/"><i class="fa-fw fa fa-tags"></i><span> 标签</span></a></div><div class="menus_item"><a class="site-page" href="/categories/"><i class="fa-fw fa fa-folder-open"></i><span> 分类</span></a></div><div class="menus_item"><a class="site-page" href="/messageboard/"><i class="fa-fw fa fa-coffee"></i><span> 留言板</span></a></div><div class="menus_item"><a class="site-page" href="/link/"><i class="fa-fw fa fa-link"></i><span> 友情链接</span></a></div><div class="menus_item"><a class="site-page" href="/about/"><i class="fa-fw fa fa-heart"></i><span> 关于</span></a></div><div class="menus_item"><a class="site-page" href="javascript:void(0);"><i class="fa-fw fa fa-list"></i><span> 清单</span><i class="fas fa-chevron-down expand"></i></a><ul class="menus_item_child"><li><a class="site-page child" href="/music/"><i class="fa-fw fa fa-music"></i><span> 音乐</span></a></li><li><a class="site-page child" href="/movies/"><i class="fa-fw fa fa-film"></i><span> 电影</span></a></li><li><a class="site-page child" href="/Gallery/"><i class="fa-fw fas fa-images"></i><span> 照片</span></a></li></ul></div></div><div id="toggle-menu"><a class="site-page"><i class="fas fa-bars fa-fw"></i></a></div></div></nav><div id="post-info"><h1 class="post-title">信息系统安全实训第四天</h1><div id="post-meta"><div class="meta-firstline"><span class="post-meta-date"><i class="far fa-calendar-alt fa-fw post-meta-icon"></i><span class="post-meta-label">发表于</span><time class="post-meta-date-created" datetime="2021-06-24T15:13:39.255Z" title="发表于 2021-06-24 23:13:39">2021-06-24</time><span class="post-meta-separator">|</span><i class="fas fa-history fa-fw post-meta-icon"></i><span class="post-meta-label">更新于</span><time class="post-meta-date-updated" datetime="2021-07-05T01:17:13.810Z" title="更新于 2021-07-05 09:17:13">2021-07-05</time></span><span class="post-meta-categories"><span class="post-meta-separator">|</span><i class="fas fa-inbox fa-fw post-meta-icon"></i><a class="post-meta-categories" href="/categories/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8/">网络安全</a></span></div><div class="meta-secondline"><span class="post-meta-separator">|</span><span class="post-meta-wordcount"><i class="far fa-file-word fa-fw post-meta-icon"></i><span class="post-meta-label">字数总计:</span><span class="word-count">627</span><span class="post-meta-separator">|</span><i class="far fa-clock fa-fw post-meta-icon"></i><span class="post-meta-label">阅读时长:</span><span>2分钟</span></span><span class="post-meta-separator">|</span><span class="post-meta-pv-cv" id="" data-flag-title="信息系统安全实训第四天"><i class="far fa-eye fa-fw post-meta-icon"></i><span class="post-meta-label">阅读量:</span><span id="busuanzi_value_page_pv"></span></span></div></div></div></header><main class="layout" id="content-inner"><div id="post"><article class="post-content" id="article-container"><h1 id="信息系统安全实训第四天"><a href="#信息系统安全实训第四天" class="headerlink" title="信息系统安全实训第四天"></a>信息系统安全实训第四天</h1><h2 id="文件上传漏洞"><a href="#文件上传漏洞" class="headerlink" title="文件上传漏洞"></a>文件上传漏洞</h2><h3 id="1-文件上传漏洞训练营pass-03"><a href="#1-文件上传漏洞训练营pass-03" class="headerlink" title="1. 文件上传漏洞训练营pass-03"></a>1. 文件上传漏洞训练营pass-03</h3><ol>
<li>已知不能上传php文件，可以把一句话木马后缀改成<code>.php3</code>。然后上传</li>
</ol>
<p><img src="https://gitee.com/yan_zilong/picgo/raw/master/img/Blog/post/密码学复习提纲/image-20210624164248367.png" alt="image-20210624164248367" style="zoom:50%;" /></p>
<p>右击复制图像连接，获取url<code>http://d3566e57.yunyansec.com/upload/202106241712204346.php3</code></p>
<ol>
<li>在httpd.conf 文件中添加：</li>
</ol>
<p><img src="https://gitee.com/yan_zilong/picgo/raw/master/img/Blog/post/密码学复习提纲/image-20210624171530612.png" alt="image-20210624171530612" style="zoom:50%;" /></p>
<ol>
<li>打开蚁剑</li>
</ol>
<p><img src="https://gitee.com/yan_zilong/picgo/raw/master/img/Blog/post/密码学复习提纲/image-20210624171251371.png" alt="image-20210624171251371"></p>
<h3 id="2-文件上传漏洞训练营pass-21"><a href="#2-文件上传漏洞训练营pass-21" class="headerlink" title="2. 文件上传漏洞训练营pass-21"></a>2. 文件上传漏洞训练营pass-21</h3><ol>
<li>这里会过滤php文件以及php字段。因此我们生成一句话木马图片。（题目限制）</li>
</ol>
<p><img src="https://gitee.com/yan_zilong/picgo/raw/master/img/Blog/post/密码学复习提纲/069A500F70C9EB0243EB070FC74B10A7.png" alt="069A500F70C9EB0243EB070FC74B10A7" style="zoom:50%;" /></p>
<p>用记事本打开图片写入代码。</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">cat 1.txt &gt;&gt; 1.jpg<span class="comment">#1.txt中是一句话木马</span></span><br></pre></td></tr></table></figure>
<ol>
<li>然后上传该文件。然后显示上传成功，以上面同样的方法用蚁剑连接。</li>
</ol>
<p><img src="https://gitee.com/yan_zilong/picgo/raw/master/img/Blog/post/密码学复习提纲/F5F19AB20A5342BF5DE6D9ECEC7428C5.png" alt="F5F19AB20A5342BF5DE6D9ECEC7428C5" style="zoom:50%;" /></p>
<h3 id="3-UCMS文件上传漏洞"><a href="#3-UCMS文件上传漏洞" class="headerlink" title="3. UCMS文件上传漏洞"></a>3. UCMS文件上传漏洞</h3><ol>
<li>利用kali进行端口扫描</li>
</ol>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">python3 dirsearch.py -u http://5f70ea3f.yunyansec.com -e jsp,php</span><br></pre></td></tr></table></figure>
<ol>
<li>进入网址：<code>http://5f70ea3f.yunyansec.com//install/index.php?upgrade/</code>。然后点进入后台。<code>admin</code> <code>admin123</code> 登录</li>
</ol>
<p><img src="https://gitee.com/yan_zilong/picgo/raw/master/img/Blog/post/密码学复习提纲/image-20210624170145647.png" alt="image-20210624170145647"></p>
<p><img src="https://gitee.com/yan_zilong/picgo/raw/master/img/Blog/post/密码学复习提纲/image-20210624170309175.png" alt="image-20210624170309175" style="zoom:50%;" /></p>
<ol>
<li>进入文件管理—-修改index.php文件，将其内容改为一句话木马</li>
</ol>
<p><img src="https://gitee.com/yan_zilong/picgo/raw/master/img/Blog/post/密码学复习提纲/image-20210624171031556.png" alt="image-20210624171031556" style="zoom:50%;" /></p>
<ol>
<li>然后打开蚁剑，url输入<code>http://5f70ea3f.yunyansec.com/</code></li>
</ol>
<p><img src="https://gitee.com/yan_zilong/picgo/raw/master/img/Blog/post/密码学复习提纲/image-20210624171140356.png" alt="image-20210624171140356" style="zoom:50%;" /></p>
<h3 id="4-PHPOA4-0-任意文件上传漏洞"><a href="#4-PHPOA4-0-任意文件上传漏洞" class="headerlink" title="4. PHPOA4.0.任意文件上传漏洞"></a>4. PHPOA4.0.任意文件上传漏洞</h3><ol>
<li>进入环境，账户名密码为<code>admin</code> <code>admin123</code></li>
<li>然后点击公共文件柜，然后上传一句话木马</li>
</ol>
<p><img src="https://gitee.com/yan_zilong/picgo/raw/master/img/Blog/post/密码学复习提纲/image-20210624163614320.png" alt="image-20210624163614320"></p>
<ol>
<li>右键查看，然后找到了url</li>
</ol>
<p><img src="https://gitee.com/yan_zilong/picgo/raw/master/img/Blog/post/密码学复习提纲/image-20210624163601924.png" alt="image-20210624163601924"></p>
<p><code>http://5dfc9551.yunyansec.com/data/uploadfile/1/1624523682.php</code></p>
<p><img src="https://gitee.com/yan_zilong/picgo/raw/master/img/Blog/post/密码学复习提纲/image-20210624163552101.png" alt="image-20210624163552101"></p>
<ol>
<li>测试连接成功，然后点击添加，进入文件管理</li>
</ol>
<p><img src="https://gitee.com/yan_zilong/picgo/raw/master/img/Blog/post/密码学复习提纲/image-20210624163759846.png" alt="image-20210624163759846"></p>
<h2 id="XSS漏洞"><a href="#XSS漏洞" class="headerlink" title="XSS漏洞"></a>XSS漏洞</h2><h3 id="一、零基础入门-xss漏洞实验（xss过滤困难）"><a href="#一、零基础入门-xss漏洞实验（xss过滤困难）" class="headerlink" title="一、零基础入门-xss漏洞实验（xss过滤困难）"></a>一、零基础入门-xss漏洞实验（xss过滤困难）</h3><ol>
<li>经过测试会把一些危险字符删掉，像： script、alert、on、img、&lt;、src 等更多的字符会被清除。</li>
<li>可以在框中输入：<code>213&quot; oimgnclick=&quot;alimgert(1)</code></li>
</ol>
<p><img src="https://gitee.com/yan_zilong/picgo/raw/master/img/Blog/post/密码学复习提纲/image-20210624152202401.png" alt="image-20210624152202401"></p>
<ol>
<li>success!</li>
</ol>
<p><img src="https://gitee.com/yan_zilong/picgo/raw/master/img/Blog/post/密码学复习提纲/image-20210624152052657.png" alt="image-20210624152052657"></p>
<h3 id="二、JYmusic存储型XSS"><a href="#二、JYmusic存储型XSS" class="headerlink" title="二、JYmusic存储型XSS"></a>二、JYmusic存储型XSS</h3><ol>
<li>先用火狐登录改界面，并注册一个账户，作为攻击者</li>
</ol>
<p><img src="https://gitee.com/yan_zilong/picgo/raw/master/img/Blog/post/密码学复习提纲/image-20210624102218414.png" alt="image-20210624102218414" style="zoom:50%;" /></p>
<ol>
<li>然后点击歌曲<code>test</code>。并在下方评论, 自己xss平台的代码</li>
</ol>
<p><img src="https://gitee.com/yan_zilong/picgo/raw/master/img/Blog/post/密码学复习提纲/image-20210624102516165.png" alt="image-20210624102516165" style="zoom:50%;" /></p>
<ol>
<li>而后在Google浏览器登录管理员用户。点击test歌曲。然后在自己的xss后台发现多了两条数据，第一个是demo用户的。第二个是admin用户的。复制第二个的PHPSESSID。</li>
</ol>
<p><img src="https://gitee.com/yan_zilong/picgo/raw/master/img/Blog/post/密码学复习提纲/image-20210624104747870.png" alt="image-2021062404747870" style="zoom:50%;" /></p>
<ol>
<li>然后在火狐浏览器中，打开cookie，修改他的值为管理员的cookie。</li>
</ol>
<p><img src="https://gitee.com/yan_zilong/picgo/raw/master/img/Blog/post/密码学复习提纲/image-20210624103126845.png" alt="image-20210624103126845"></p>
<ol>
<li>然后登录/admin.php。直接进入后台</li>
</ol>
<p><img src="https://gitee.com/yan_zilong/picgo/raw/master/img/Blog/post/密码学复习提纲/image-20210624104809408.png" alt="image-0210624104809408" style="zoom:50%;" /></p>
<p>success！</p>
<h2 id="命令执行漏洞"><a href="#命令执行漏洞" class="headerlink" title="命令执行漏洞"></a>命令执行漏洞</h2><h3 id="基础题目之命令执行"><a href="#基础题目之命令执行" class="headerlink" title="基础题目之命令执行"></a>基础题目之命令执行</h3><ol>
<li>打开环境，测试输入发现 &amp;&amp; ls会被过滤，而|| ls可以。</li>
</ol>
<p><img src="https://gitee.com/yan_zilong/picgo/raw/master/img/Blog/post/密码学复习提纲/image-20210624144507580.png" alt="image-20210624144507580" style="zoom:50%;" /></p>
<ol>
<li>然后输入 <code>|| ls ../</code> 发现key.php</li>
</ol>
<p><img src="https://gitee.com/yan_zilong/picgo/raw/master/img/Blog/post/密码学复习提纲/image-20210624144624824.png" alt="image-20210624144624824" style="zoom:50%;" /></p>
<ol>
<li>然后输入<code>|| cat ../key.php</code> 。会出现Get it! ?&gt;</li>
</ol>
<p><img src="https://gitee.com/yan_zilong/picgo/raw/master/img/Blog/post/密码学复习提纲/image-20210624144723907.png" alt="image-20210624144723907" style="zoom:50%;" /></p>
<ol>
<li>而我们并未发现flag。右击打开源代码：</li>
</ol>
<p><img src="https://gitee.com/yan_zilong/picgo/raw/master/img/Blog/post/密码学复习提纲/image-20210624144900066.png" alt="image-20210624144900066" style="zoom:50%;" /></p>
<p>显示flag</p>
</article><div class="post-copyright"><div class="post-copyright__author"><span class="post-copyright-meta">文章作者: </span><span class="post-copyright-info"><a href="mailto:undefined">Charles Yan</a></span></div><div class="post-copyright__type"><span class="post-copyright-meta">文章链接: </span><span class="post-copyright-info"><a href="https://www.charlesyan.cn/2021/06/24/%E4%BF%A1%E6%81%AF%E7%B3%BB%E7%BB%9F%E5%AE%89%E5%85%A8%E5%AE%9E%E8%AE%AD%E7%AC%AC%E5%9B%9B%E5%A4%A9/">https://www.charlesyan.cn/2021/06/24/%E4%BF%A1%E6%81%AF%E7%B3%BB%E7%BB%9F%E5%AE%89%E5%85%A8%E5%AE%9E%E8%AE%AD%E7%AC%AC%E5%9B%9B%E5%A4%A9/</a></span></div><div class="post-copyright__notice"><span class="post-copyright-meta">版权声明: </span><span class="post-copyright-info">本博客所有文章除特别声明外，均采用 <a href="https://creativecommons.org/licenses/by-nc-sa/4.0/" target="_blank">CC BY-NC-SA 4.0</a> 许可协议。转载请注明来自 <a href="https://www.charlesyan.cn" target="_blank">路漫漫其修远兮，吾将上下而求索</a>！</span></div></div><div class="tag_share"><div class="post-meta__tag-list"><a class="post-meta__tags" href="/tags/%E4%B8%8A%E8%AF%BE%E7%AC%94%E8%AE%B0/">上课笔记</a><a class="post-meta__tags" href="/tags/%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2/">网络攻防</a></div><div class="post_share"><div class="social-share" data-image="https://gitee.com/yan_zilong/picgo/raw/master/img/Blog/post/密码学复习提纲/3989.jpg" data-sites="facebook,twitter,wechat,weibo,qq"></div><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/social-share.js/dist/css/share.min.css" media="print" onload="this.media='all'"><script src="https://cdn.jsdelivr.net/npm/social-share.js/dist/js/social-share.min.js" defer></script></div></div><div class="post-reward"><div class="reward-button button--animated"><i class="fas fa-qrcode"></i> 打赏</div><div class="reward-main"><ul class="reward-all"><li class="reward-item"><a href="/img/IMG_0003.jpeg" target="_blank"><img class="post-qr-code-img" src="/img/IMG_0003.jpeg" alt="wechat"/></a><div class="post-qr-code-desc">wechat</div></li><li class="reward-item"><a href="/img/IMG_0004.jpeg" target="_blank"><img class="post-qr-code-img" src="/img/IMG_0004.jpeg" alt="alipay"/></a><div class="post-qr-code-desc">alipay</div></li></ul></div></div><nav class="pagination-post" id="pagination"><div class="prev-post pull-left"><a href="/2021/06/27/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8/"><img class="prev-cover" src="https://gitee.com/yan_zilong/picgo/raw/master/img/Blog/post/密码学复习提纲/12998.jpg" onerror="onerror=null;src='/img/404.jpg'" alt="cover of previous post"><div class="pagination-info"><div class="label">上一篇</div><div class="prev_info">网络安全复习提纲</div></div></a></div><div class="next-post pull-right"><a href="/2021/06/23/%E5%AF%86%E7%A0%81%E5%AD%A6%E5%A4%8D%E4%B9%A0%E6%8F%90%E7%BA%B2/"><img class="next-cover" src="https://gitee.com/yan_zilong/picgo/raw/master/img/Blog/post/密码学复习提纲/7801.jpg" onerror="onerror=null;src='/img/404.jpg'" alt="cover of next post"><div class="pagination-info"><div class="label">下一篇</div><div class="next_info">密码学复习提纲</div></div></a></div></nav><div class="relatedPosts"><div class="headline"><i class="fas fa-thumbs-up fa-fw"></i><span> 相关推荐</span></div><div class="relatedPosts-list"><div><a href="/2021/06/23/信息系统安全实训第三天/" title="信息系统安全实训第三天"><img class="cover" src="https://gitee.com/yan_zilong/picgo/raw/master/img/Blog/post/密码学复习提纲/3989.jpg" alt="cover"><div class="content is-center"><div class="date"><i class="far fa-calendar-alt fa-fw"></i> 2021-06-23</div><div class="title">信息系统安全实训第三天</div></div></a></div><div><a href="/2021/06/22/第二天课上笔记/" title="docker的简单命令使用"><img class="cover" src="https://gitee.com/yan_zilong/picgo/raw/master/img/Blog/post/密码学复习提纲/3989.jpg" alt="cover"><div class="content is-center"><div class="date"><i class="far fa-calendar-alt fa-fw"></i> 2021-06-22</div><div class="title">docker的简单命令使用</div></div></a></div><div><a href="/2021/06/22/信息系统安全实训第二天/" title="信息系统安全实训第二天"><img class="cover" src="https://gitee.com/yan_zilong/picgo/raw/master/img/Blog/post/密码学复习提纲/7801.jpg" alt="cover"><div class="content is-center"><div class="date"><i class="far fa-calendar-alt fa-fw"></i> 2021-06-22</div><div class="title">信息系统安全实训第二天</div></div></a></div><div><a href="/2021/06/21/玩转勒索病毒/" title="信息系统安全实训第一天"><img class="cover" src="https://gitee.com/yan_zilong/picgo/raw/master/img/Blog/post/密码学复习提纲/3989.jpg" alt="cover"><div class="content is-center"><div class="date"><i class="far fa-calendar-alt fa-fw"></i> 2021-06-21</div><div class="title">信息系统安全实训第一天</div></div></a></div><div><a href="/2020/02/24/markdown语法/" title="markdown语法，由浅入深，最全攻略，笔记。"><img class="cover" src="https://ss2.bdstatic.com/70cFvnSh_Q1YnxGkpoWK1HF6hhy/it/u=1613194509,3683268681&fm=26&gp=0.jpg" alt="cover"><div class="content is-center"><div class="date"><i class="far fa-calendar-alt fa-fw"></i> 2020-02-24</div><div class="title">markdown语法，由浅入深，最全攻略，笔记。</div></div></a></div><div><a href="/2020/11/14/算法设计与分析之动态规划/" title="算法设计与分析之动态规划"><img class="cover" src="https://gitee.com/yan_zilong/picgo/raw/master/img/Blog/post/密码学复习提纲/7801.jpg" alt="cover"><div class="content is-center"><div class="date"><i class="far fa-calendar-alt fa-fw"></i> 2020-11-14</div><div class="title">算法设计与分析之动态规划</div></div></a></div></div></div><hr/><div id="post-comment"><div class="comment-head"><div class="comment-headline"><i class="fas fa-comments fa-fw"></i><span> 评论</span></div></div><div class="comment-wrap"><div><div id="twikoo-wrap"></div></div></div></div></div><div class="aside-content" id="aside-content"><div class="sticky_layout"><div class="card-widget" id="card-toc"><div class="item-headline"><i class="fas fa-stream"></i><span>目录</span></div><div class="toc-content"><ol class="toc"><li class="toc-item toc-level-1"><a class="toc-link" href="#%E4%BF%A1%E6%81%AF%E7%B3%BB%E7%BB%9F%E5%AE%89%E5%85%A8%E5%AE%9E%E8%AE%AD%E7%AC%AC%E5%9B%9B%E5%A4%A9"><span class="toc-number">1.</span> <span class="toc-text">信息系统安全实训第四天</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E"><span class="toc-number">1.1.</span> <span class="toc-text">文件上传漏洞</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#1-%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E%E8%AE%AD%E7%BB%83%E8%90%A5pass-03"><span class="toc-number">1.1.1.</span> <span class="toc-text">1. 文件上传漏洞训练营pass-03</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#2-%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E%E8%AE%AD%E7%BB%83%E8%90%A5pass-21"><span class="toc-number">1.1.2.</span> <span class="toc-text">2. 文件上传漏洞训练营pass-21</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#3-UCMS%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E"><span class="toc-number">1.1.3.</span> <span class="toc-text">3. UCMS文件上传漏洞</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#4-PHPOA4-0-%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E"><span class="toc-number">1.1.4.</span> <span class="toc-text">4. PHPOA4.0.任意文件上传漏洞</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#XSS%E6%BC%8F%E6%B4%9E"><span class="toc-number">1.2.</span> <span class="toc-text">XSS漏洞</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E4%B8%80%E3%80%81%E9%9B%B6%E5%9F%BA%E7%A1%80%E5%85%A5%E9%97%A8-xss%E6%BC%8F%E6%B4%9E%E5%AE%9E%E9%AA%8C%EF%BC%88xss%E8%BF%87%E6%BB%A4%E5%9B%B0%E9%9A%BE%EF%BC%89"><span class="toc-number">1.2.1.</span> <span class="toc-text">一、零基础入门-xss漏洞实验（xss过滤困难）</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E4%BA%8C%E3%80%81JYmusic%E5%AD%98%E5%82%A8%E5%9E%8BXSS"><span class="toc-number">1.2.2.</span> <span class="toc-text">二、JYmusic存储型XSS</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E"><span class="toc-number">1.3.</span> <span class="toc-text">命令执行漏洞</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E5%9F%BA%E7%A1%80%E9%A2%98%E7%9B%AE%E4%B9%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C"><span class="toc-number">1.3.1.</span> <span class="toc-text">基础题目之命令执行</span></a></li></ol></li></ol></li></ol></div></div></div></div></main><footer id="footer" style="background-image: url('https://gitee.com/yan_zilong/picgo/raw/master/img/Blog/post/密码学复习提纲/3989.jpg')"><div id="footer-wrap"><div class="copyright">&copy;2020 - 2021 By Charles Yan</div><div class="framework-info"><span>框架 </span><a target="_blank" rel="noopener" href="https://hexo.io">Hexo</a><span class="footer-separator">|</span><span>主题 </span><a target="_blank" rel="noopener" href="https://github.com/jerryc127/hexo-theme-butterfly">Butterfly</a></div><div class="footer_custom_text">Hi, welcome to my <a target="_blank" rel="noopener" href="https:charlesyan.cn/">blog</a>!</div></div></footer></div><div id="rightside"><div id="rightside-config-hide"><button id="readmode" type="button" title="阅读模式"><i class="fas fa-book-open"></i></button><button id="font-plus" type="button" title="放大字体"><i class="fas fa-plus"></i></button><button id="font-minus" type="button" title="缩小字体"><i class="fas fa-minus"></i></button><button id="translateLink" type="button" title="简繁转换">简</button><button id="darkmode" type="button" title="浅色和深色模式转换"><i class="fas fa-adjust"></i></button><button id="hide-aside-btn" type="button" title="单栏和双栏切换"><i class="fas fa-arrows-alt-h"></i></button></div><div id="rightside-config-show"><button id="rightside_config" type="button" title="设置"><i class="fas fa-cog fa-spin"></i></button><button class="close" id="mobile-toc-button" type="button" title="目录"><i class="fas fa-list-ul"></i></button><button id="chat_btn" type="button" title="rightside.chat_btn"><i class="fas fa-sms"></i></button><a id="to_comment" href="#post-comment" title="直达评论"><i class="fas fa-comments"></i></a><button id="go-up" type="button" title="回到顶部"><i class="fas fa-arrow-up"></i></button></div></div><div id="local-search"><div class="search-dialog"><div class="search-dialog__title" id="local-search-title">本地搜索</div><div id="local-input-panel"><div id="local-search-input"><div class="local-search-box"><input class="local-search-box--input" placeholder="搜索文章" type="text"/></div></div></div><hr/><div id="local-search-results"></div><span class="search-close-button"><i class="fas fa-times"></i></span></div><div id="search-mask"></div></div><div><script src="/js/utils.js"></script><script src="/js/main.js"></script><script src="/js/tw_cn.js"></script><script src="https://cdn.jsdelivr.net/npm/medium-zoom/dist/medium-zoom.min.js"></script><script src="https://cdn.jsdelivr.net/npm/instant.page/instantpage.min.js" type="module"></script><script src="https://cdn.jsdelivr.net/npm/node-snackbar/dist/snackbar.min.js"></script><script>function panguFn () {
  if (typeof pangu === 'object') pangu.autoSpacingPage()
  else {
    getScript('https://cdn.jsdelivr.net/npm/pangu/dist/browser/pangu.min.js')
      .then(() => {
        pangu.autoSpacingPage()
      })
  }
}

function panguInit () {
  if (false){
    GLOBAL_CONFIG_SITE.isPost && panguFn()
  } else {
    panguFn()
  }
}

document.addEventListener('DOMContentLoaded', panguInit)</script><script src="/js/search/local-search.js"></script><script>var preloader = {
  endLoading: () => {
    document.body.style.overflow = 'auto';
    document.getElementById('loading-box').classList.add("loaded")
  },
  initLoading: () => {
    document.body.style.overflow = '';
    document.getElementById('loading-box').classList.remove("loaded")

  }
}
window.addEventListener('load',preloader.endLoading())</script><div class="js-pjax"><script>if (document.getElementsByClassName('mermaid').length) {
  if (window.mermaidJsLoad) mermaid.init()
  else {
    getScript('https://cdn.jsdelivr.net/npm/mermaid/dist/mermaid.min.js').then(() => {
      window.mermaidJsLoad = true
      mermaid.initialize({
        theme: 'default',
      })
      false && mermaid.init()
    })
  }
}</script><script>(()=>{
  const $countDom = document.getElementById('twikoo-count')
  const init = () => {
    twikoo.init(Object.assign({
      el: '#twikoo-wrap',
      envId: 'https://twikoo-beta-tawny.vercel.app/',
      region: ''
    }, null))
  }

  const getCount = () => {
    twikoo.getCommentsCount({
      envId: 'https://twikoo-beta-tawny.vercel.app/',
      region: '',
      urls: [window.location.pathname],
      includeReply: false
    }).then(function (res) {
      $countDom.innerText = res[0].count
    }).catch(function (err) {
      console.error(err);
    });
  }

  const loadTwikoo = (bool = false) => {
    if (typeof twikoo === 'object') {
      init()
      bool && $countDom && setTimeout(getCount,0)
    } else {
      getScript('https://cdn.jsdelivr.net/npm/twikoo/dist/twikoo.all.min.js').then(()=> {
        init()
        bool && $countDom && setTimeout(getCount,0)
      })
    }
  }

  if ('Twikoo' === 'Twikoo' || !false) {
    if (false) btf.loadComment(document.getElementById('twikoo-wrap'), loadTwikoo)
    else loadTwikoo(true)
  } else {
    window.loadOtherComment = () => {
      loadTwikoo()
    }
  }
})()</script></div><script async data-pjax src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script></div></body></html>